EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL App design question

Posted: 06/30/2008 21:45:02
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

I'm far enough out of my element with security that I thought I should ask for some general advice. Let me explain what I'm trying to do and get a sanity check on whether it's reasonable. I have a desktop notes product and I'd like to give it the ability to make notes accessible through an https server built into the app. But I'd like access to the notes to be as secure as is practical. It isn't practical for each installation to have its own certificate signed by a CA. So at best I'll only be able to have self-signed certificates.

Now my question. Is it practical using SSLBlackbox to create self-signed certificates on the user's machine without user interaction? I would like the user to be totally insulated from the complexities of producing a certificate. I would like the user to simply be able to tell the application to activate the https server and have the application build the self-signed certificates as needed.

I realize that the system will always be vulnerable to man-in-the-middle attacks with this design, but since CA-signed certificates are pretty much out of the question, I think it's the best I'll be able to do.

I already know that I can secure my Indy http server with SSLBlackbox. Will I also be able to create certificates on the fly like this?

Kevin Donn
Posted: 07/01/2008 05:39:10
by Ken Ivanov (Team)

Is it practical using SSLBlackbox to create self-signed certificates on the user's machine without user interaction?

Sure. You just need to set up the necessary fields of the TElX509Certificate object and then call the Generate() method.

We suggest you to slightly modify your scheme in order to improve the overall security level of your application. Create a self-signed certificate which would be a CA for the certificates of all your customers (this CA certificate should be created beforehands). When a customer installs your product, generate a certificate for him and sign it using that CA certificate. This will help you detect if the HTTPS server you are connecting to uses 'legal' certificate (i.e., generated by your application).

The CA certificate can be hard-coded into the application in encrypted form. Of course, an attacker can extract it, but extraction process will give him extra headache. To achieve real security, you should keep the CA certificate in safe place and generate certificates for your customers in your environment, but, as I understood, this way is not a suitable one for you.
Posted: 07/01/2008 06:10:33
by Scratch  (Standard support level)
Joined: 02/07/2008
Posts: 34

As fo me I storĂ³ only server's cert fingerprint inside client app. As for client apps, they generate CSRs, send them to server and get server-signed their certs back. The only thing client should do is to enter a kind of pin code which is generated on server and must be entered on clientside to verify that it is really him. that's it )
Posted: 07/01/2008 19:56:38
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

OK, great, that's encouraging. I'm still trying to get a handle on how to use all these classes correctly though. To begin I'm just trying to work through how to use the various sample applications so that I can then use them as guides once I understand how they work. But so far I'm not having as much luck as I would hope.

OK, so I want to run through an example of creating my own self-signed certificate and then making the https server demo use it. When I build the SSL\Server\Delphi\Indy\IOHandler10 demo, I'm able to start it, hit it with IE and get my 12345 page back. Great. Success.

Now, I'd like to use the PKI\Certificates demo to generate a self-signed certificate. I took all the defaults and wound up with a certificate in the "System stores/MY" branch. I have exported it in every format offered (I think - cer, key, p7b, pem, pfx). Then I've run the https server application and tried to load the certificate by using the "Certificate store" buttons every way I can think of. Sometimes it just tells me it's a bad certificate. Sometimes it seems to accept it. But regardless, when I click "Start Listen" and connect to the server with IE, IE never completes the handshake.

Should what I'm trying basically work? If so, what is the magic I'm missing?

Thanks as always!
Kevin Donn
Posted: 07/02/2008 05:52:57
by Ken Ivanov (Team)

For historical reasons, the IOHandlerDemo sample expects the certificate in DER format and the key in PEM format. Please use the following steps to load the certificate:

1) Save the certificate in PEM format together with private key (both certificate and private key are put to the same file).

2) Open the IOHandlerDemo, find the implementation of TForm1.Button1Click procedure and replace the following line:

TmpX509Cert.LoadFromBuffer(@Buffer[0], I);


TmpX509Cert.LoadFromBufferPEM(@Buffer[0], I, '');

It's a good idea to check the return value of the LoadFromBufferPEM() method to detect load failures in a right place:

var R : integer;
R := TmpX509Cert.LoadFromBufferPEM(@Buffer[0], I, '');
if R <> 0 then
raise Exception.Create(...);

3) Run the demo, specify a path to your certificate and click the "Add to Server Store" button. There's no need in specifying the private key.
Posted: 07/02/2008 19:28:02
by Kevin Donn (Standard support level)
Joined: 08/16/2007
Posts: 20

That worked fine. The only other thing I'd add for someone else stumbling through this is that when the cert demo asks you whether you'd like to put a password on the private key, just click OK but don't provide a password. With a password on the private key the IOHandlerDemo was unable to use the key but didn't give any errors - it just fails.

OK, guys, I think I'm rolling now. I have enough to be dangerous! :-)

Thanks for all you help.




Topic viewed 1864 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!